1 / 96

Introduction to Practical Cryptography

Introduction to Practical Cryptography. Lecture 1 Overview Debbie Cook dcook ATcs.columbia.edu. Agenda. Course Outline Topics in cryptography Basic Terms Privacy - Encryption Authentication - Signatures Integrity – Hash, MAC Not-so Basic Zero knowledge Oblivious transfer

karenknight
Download Presentation

Introduction to Practical Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Practical Cryptography Lecture 1 Overview Debbie Cook dcook ATcs.columbia.edu

  2. Agenda • Course Outline • Topics in cryptography • Basic • Terms • Privacy - Encryption • Authentication - Signatures • Integrity – Hash, MAC • Not-so Basic • Zero knowledge • Oblivious transfer • Proxy cryptography • Some Applications • Multiparty computation • Searchable encryption • Redaction • Current “hot” items • Hash Function • Pairings • Universal composability • Gap between theory and practice

  3. Course Outline • Overview - today • Basics: lectures 2-6 • Public key • Block ciphers • Stream ciphers • Hash functions • Cryptanalysis • Protocols • General topics: lectures 7-9 • Forward key security • Oblivious transfer • Zero knowledge • Multiparty computation • Searchable encryption • Redaction • Proxy cryptography • Universal composability • Exam

  4. Grading + Contact Info • One homework (50% - tentative) • One 2 hour exam during last class (50% - tentative) • My email: dcook AT cs.columbia.edu • Slides for lectures are available at http://www.cs.columbia.edu/~dcook/forth • All lecture slides are currently posted, but are subject to small modifications

  5. Agenda • Course Outline • Topics in cryptography • Basic • Terms • Privacy - Encryption • Authentication - Signatures • Integrity – Hash, MAC • Not-so Basic • Zero knowledge • Oblivious transfer • Proxy cryptography • Some Applications • Multiparty computation • Searchable encryption • Redaction • Current “hot” items • Hash Function • Pairings • Universal composability • Gap between theory and practice

  6. Terms • Private Key (symmetric key) • Public Key (asymmetric key) • Hash Function

  7. Symmetric Key Shared secret key Bob Alice C1 = Ek(P1) k k C2 = Ek(P2) P2 = Dk(C2) P1 = Dk(C1)

  8. Symmetric Key Cryptography • Secret key – one key • General categories of algorithms • Block Ciphers • Stream Ciphers • Heuristics • Well analyzed • Components based on defined properties • But, unlike public key, no formal security proof exists • Faster than public key algorithms

  9. Uses • Encryption of data • Files, disk, large plaintext, streaming data • Random number generator for OTPs • RSA token, VASCO digipass

  10. Block Ciphers • Input data (plaintext) and a secret key • Get output (ciphertext) secret key Ciphertext C Plaintext P Encryption secret key Ciphertext C Plaintext P Decryption

  11. AES – 128 bit block 128 bit plaintext initial whitening AddRoundKey S-Box Shiftrows MixColumns 9 rounds AddRoundKey S-Box Shiftrows last round AddRoundKey 128 bit ciphertext

  12. Stream Ciphers • Stream cipher outputs keystream, KS • KS produced by a function, F, that is initialized with a key, k • C = Ek(P) = P  KS • P = C  KS • k can be used only once • C1 = Ek1(P1); C2 = Ek2(P2) • C1  C2 = P1  KS1  P2  KS2 = P1  P2 if KS1 = KS2 • Will know when P1 and P2 have identical bits • If know part of P1 (if packet headers, format information), then can obtain part of P2 • Period – how long is KS before it starts repeating? • repeating is equivalent to reusing a key • Period of 232 repeats after ~ 8.5 minutes when encrypting 1MB/sec

  13. Stream Ciphers – General Concept state (data) key next state function output function • Both ends need to be in synch • Lost bit garbles rest of data • Flipped bit impacts one bit ksi pi ci synchronous

  14. Stream Ciphers – General Concept state (data) key next state function Both ends don’t need to be in synch Lost or flipped bit garbles some number of subsequent bits output function subset of ci’s ksi pi ci self synchronizing (asynchronous)

  15. eSTREAM Phase 3 Candidates http://www.ecrypt.eu.org/stream/phase3list.html key lengths: 128 bits for SW and 80 bits for HW

  16. RC4 • Keystream Generator • i = 0; j = 0; • loop { • i = (i+1) mod 256; • j = (j+S[i]) mod 256; • Swap(S[i],S[j]); • t = (S[i] + S[j]) mod 256; • ks_byte = S[t]; • } S-Box Creation input key; if (key < 256 bytes) { repeat key until 256 bytes; } for (i=0; i < 256; ++i) { S[i] = i; // initialize S-Box K[i] = ith key byte; } j = 0; for (i = 0; i <256; ++i) { j = (j + S[i] + K[i]) mod 256; swap(S[i],S[j]); } 2 S-Box entries form index into S-Box Output S-Box entry (byte) S-Box: key dependent permutation of 0 to 255. (lookup table)

  17. Public Key public, private key pair kb-priv kb-pub ka-pub Bob Alice C1 = Ekb-pub(P1) C2 = Eka-pub(P2) ka-priv ka-pub kb-pub P2 = Dka-priv(C2) P1 = Dkb-priv(C1)

  18. Public Key Cryptography • Uses a key pair – one component is public, one component is private • Algorithms used in practice depend on the mathematical hardness of factoring or of computing discrete logs.

  19. Uses • Signatures • Non-repudiation: signature had to generated by someone with private key • Encrypt small amounts of data, such as in key exchange protocols • Establish shared secret (Diffie-Hellman)

  20. RSA • Generate two large distinct (at least 1024 bits) primes p and q; let n = pq • Compute (n) = (p − 1)(q − 1). • Pick two integers e and d such that ed = 1 mod (n) where 1 < e < (n) and e and (n) are coprime • The public key is <e,n>; the private key is <d,n>. • The security of the system relies on the difficulty of factoring n. • Finding such primes is easy; factoring n is believed to be hard.

  21. RSA • message m of length < n • Encrypt: c = me mod n • Decrypt: m = cd mod n • Why? cd mod n = med mod n but ed = 1 mod (n) = m k(n)+1 mod n = (m (n))km mod n = (1k)m mod n = m

  22. RSA Parameter sizes • n of 3072 bits equivalent security of 128-bit key in AES • n of 15360 bits equivalent to 256-bit key in AES • NIST SP800-57, May 2006 Recommendation for Key Management – Part 1

  23. Privacy - Encryption • Considerations • Type of data/application - suitable for public or private key • Supported algorithms • Performance • Key distribution • Key security

  24. Authentication - Signatures • Signature: typically hash data, encrypt with public key algorithm using private key • Verification: decrypt with public key, hash original data, compare results • Non-repudiation – can’t refute validity of signed data • Issues • Time – signed it, but when? • Key security

  25. Integrity - MACs • Want to know the data has not changed • Hash function • Message Authentication Code (MAC)

  26. Hash Properties • Map bit strings of arbitrary length to fixed-length outputs h = hash(m), h is fixed-length, short • Not injective, but collisions unlikely • Example: 2160 possible values • Computationally infeasible to generate collisions • Computationally infeasible to invert

  27. Hash Properties • Preimage resistant: given h, hard to find m such that h = hash(m) • Second preimage resistant: given m1, hard to find m2 (≠ m1) such that hash(m1) = hash(m2) • Collision-resistant: hard to find m1 and m2, m2 ≠ m1, such that hash(m1) = hash(m2)

  28. MAC • Message Authentication Code – keyed hash • Examples: • Encrypt hash with symmetric key cipher • HMAC H((K  c1) || H((K  c2) || m)) where c1 = 0x5c5c5c …, c2 = 0x363636 …

  29. Hash - Uses • Integrity • Hash file/message • Changes detectable provided attacker can’t recompute and replace hash value after modifying file/message • Authentication • Signature: hash data to shorten (for efficiency) then encrypt with public key algorithm • Append shared secret to unencrypted data then hash • Random bits • OATH OTP standard

  30. In Practice • Heuristics • Simple operations, performance: • Iterative, series of rounds • Diffusion through logical operations, addition, shifts, rotates

  31. Agenda • Course Outline • Topics in cryptography • Basic • Terms • Privacy - Encryption • Authentication - Signatures • Integrity – Hash, MAC • Not-so Basic • Zero knowledge • Oblivious transfer • Proxy cryptography • Some Applications • Multiparty computation • Searchable encryption • Redaction • Current “hot” items • Hash Function • Pairings • Universal composability • Gap between theory and practice

  32. Zero Knowledge Bob Alice I know X Prove it X Some exchange, but which does not provide X • Interactive method for Alice to prove to Bob that she has/knows x without revealing x to Bob. • Motivation: authentication • Alice wants to prove her identity to Bob via some secret but doesn't want Bob to learn anything about this secret • Login methods where password is not stored on server (maybe hash of password is stored) • Alice (user/client) proves to Bob (server) that she knows the password without giving Bob the password

  33. Zero Knowledge • Jean-Jacques Quisquater, et. al "How to Explain Zero-Knowledge Protocols to Your Children“ • Peggy (prover) has uncovered the secret password to open a magic door in a cave. The cave is shaped like a circle, with the entrance in one side and the magic door blocking the opposite side. • Victor (verifier) will pay Peggy for the secret, but not until he's sure that she really knows it. Peggy says she'll tell him the secret, but not until she receives the money. • Zero knowledge – need a method by which Peggy proves to Victor that she knows the word without telling it to him door A B enter

  34. Zero Knowledge • Solution • Victor waits outside the cave, Peggy goes in. Label the left and right paths from the entrance A and B. She takes either A or B at random (Victor does not know which) • Victor enters the cave and shouts the path (A or B at random) on which she must return • Peggy returns along the path chosen by Victor, opening the door if it was not the path on which she had entered the cave • If Peggy did not know the password, there is a 50% chance she can return on the correct path; repeat the above many times, Peggy’s chance of successfully returning becomes negligible (assume chance of Peggy guessing the pass word is negligible) • If Peggy returns correctly each time, this proves she knows the password door A B enter

  35. Oblivious Transfer Bob Alice 0 or 1 m = 1 • Alice transfers a secret bit m to Bob with probability ½ such that • Bob knows whether or not he receives m • Alice doesn’t know if m transferred to Bob

  36. Oblivious Transfer – Application • Alice and Bob will each sign a contract only if the other also signs it • Idea • If names are of equal length, could sign a letter at a time, alternating • But someone must go last and could abort – not complete last letter • Sign small fragment at a time – bit, pixel • Don’t know who will be last • If one stops, both are approximately at same point • But one could send garbage in a fragment • Oblivious transfer solves the problem

  37. Proxy Cryptography • Convert ciphertext from encryption with one key to encryption with another key: • Encrypt with one key, let recipient decrypt with some other key • Similar notion for signatures: sign with one key, let recipient verify with another key.

  38. Proxy Cryptography Can proxy see the data during the conversion or gain any information about it? What keys does the proxy have? C2 C1 C1 = Eka(P) C2 = Hkab(C1) C2 = Ekb(Dka(C1)) ? P = Dkb(C2) Or not? C1 C2 C2 = Hkab(C1) C1 = Eka(P) P = Dkb(C2)

  39. Proxy Cryptography • VPNs • File servers • Transform A’s signature into B’s signature

  40. Secure Multi-Party Computation • A set of parties with private inputs wish to compute some joint function of their inputs. • Parties wish to preserve some security properties. E.g., privacy and correctness. • Example: secure election protocol • Security must be preserved in the face of adversarial behavior by some of the participants

  41. Secure MPC s3 s4 Alice s2 s5 sn s1 s Alice has a secret key, s, (such as a key to a system) Afraid she may lose s Want to give is to someone, but don’t trust anyone with entire secret Share secret among n people: s = s1 s2  s3  s4  s5  … sn

  42. Secure MPC s3 X s4 Alice s2 s5 sn s1 s • Suppose need more flexibility • ith person loses si or is malicious • n people • Any subset of size t can recover s • Any subset of size < t cannot recover any information about s

  43. Application of 2PC • On-line Bidding • If seller’s price  buyer’s price, sell at average of the two • Privacy: don’t want to announce exact prices • Correctness: don’t sell for less than asking price

  44. Application of MPC • Auctions • Parties: 1 auctioneer, (n-1) bidders. • Consider secret bids: • An adversary may wish to learn the bids of all parties – to prevent this, requires privacy • An adversary may wish to win with a lower bid than the highest – to prevent this, requires correctness • Elections • Many voters • Correctness: outcome (election winner) determined by votes • Privacy: no information about individual votes revealed • Can’t say Alice voted for Bob • But what can be said:town called Sandy Hook had majority vote for Bob when only 20 people reside there?

  45. Searchable Encryption query response encrypted data repository

  46. Untrusted Remote Storage • Remote storage is ubiquitous: • E-mail, backups, CVS, Department servers

  47. Searchable Encryption • Store data externally • encrypted • want to search data easily • avoid downloading everything then decrypt • allow others to search data without having access to plaintext

  48. Searchable Encryption - Factors • When searching, what must be protected? • retrieved data • search query • search query outcome (was anything found?) • Scenario • single query vs multiple queries • non-adaptive: series of queries, each independent of the others • adaptive: form next query based on previous results • # of participants • single user (owner of data) can query data • multiple users can query the data, possibly with access rights defined by the owner

  49. Redaction • Removal of information from documents, media … The project involved people with a budget of • Image with brand name that must be removed

  50. Redaction Example • Original content: • John Doe testified that Al Smith did not commit the crime. • After redaction: • [REDACTED] testified that Al Smith did not commit the crime. • testified that Al Smith did not commit the crime. • If redaction is not indicated, the meaning can be changed: • John Doe testified that Al Smith did not commit the crime. • John Doe testified that Al Smith did commit the crime.

More Related